General Data Protection Regulation. Still have not heard of it? This is an important legislation that you will have to know by heart and prepare your company to receive as early as May 2018.
An IDC study released on 30 January 2018 concluded that about 80% of European SMEs are not yet prepared for this regulation, while time is running out.
Below is a summary of the essentials to be retained in this new law.
What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is a European regulation (EU 2016/679) which lays down rules on the protection, treatment and free circulation of personal data of persons in the countries of the European Union.
This regulation aims to strengthen citizens data protection and harmonize the legislation of EU member states.
When does it take effect?
The General Data Protection Regulation takes effect on May 25, 2018, replacing the current data protection law.
To whom does it apply?
The legislation applies to all organizations established in the European Union and to those outside the EU that deal with data from their residents.
The companies are obliged to prove compliance with all the requirements derived from the application of this regulation.
What does it require?
The new general regulation brings some significant changes, of different impact in organizations, according to their nature, the area of action, size, and type of treatments applied to personal data.
There are a number of day-to-day procedures that need to be reviewed in companies in order to follow the GDPR’s rules on the processing of personal data.
- The Regulation requires more information to be provided to data subjects, such as the legal basis for data processing, the period of retention of data and more detailed information on international transfers, and the possibility of filing a complaint with the National Commission for the Protection of Data.
- It is necessary to determine whether the consent obtained by the data controller from the holders respects all new requirements.
- The data collected must be used only for the purpose for which they are intended. At the time of submission of the data, this purpose has to be very explicit, such as the time during which it will be kept.
- The data holder has the right to consult his data, in the possession of the company, as well as the history of actions taken with this data.
- The Regulation also defines the concept of sensitive data subject to special treatment conditions, such as biometric data. Depending on the size and context of these treatments, it may be mandatory to appoint a Data Protection Officer.
- It is also necessary to review the subcontracting contracts of services carried out in the computation of personal data processing to determine whether they include all the items required by law.
What are the fines?
The new legal framework establishes a framework of fines based on two steps depending on the seriousness of the irregularity.
- In the least serious cases, the fine may reach EUR 10 million, or 2% of the annual worldwide turnover, whichever is the greater.
- In the most serious cases, the fine may reach EUR 20 million, or 4% of the annual worldwide turnover, whichever is the greater.
Where can the new regulations be followed?
To monitor the work being done by data protection authorities at European level, you can consult the website of the National Commission for Data Protection.
All information can be found on the website of European Union law.
Linked to data regulation is the important issue of cybersecurity.